The route to reversing my router

I have been dabbling in reverse engineering a bit lately trying to get progressively better. While updating my router and attempting to configure some setting I figured why not attempt to reverse the firmware. Keep in mind I’m pretty new to reversing so I will include the roads blocks I hit along my journey.

p_setting_fff_1_90_end_500

 

Router type: ASUS RT-AC53U

Firmware: Version 3.0.0.4.376.3754

Description: Dual-band wireless-AC1200 router

Filetype: .zip extracted into .trx

 

 

 

Downloading

I started by downloading the firmware on the ASUS website which was not to difficult to find:

screen-shot-2016-09-29-at-10-31-33-pm

Static File Analysis

Once I downloaded the software I simply double clicked it and it extracted into a .trx file. I was instantly pretty baffled by the file extension that I had never seen before so I ran the file command on it:

sneakerhax$ file RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx
RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx: data

This still did not reveal what I wanted to know so I tried running xxd on it to look for the magic bytes:

xxd -l 4 RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx 0000000: 4844 5230 HDR0

I searched for HDR0 and was able to find some information on the openwrt website which started to clear things up. I also ran strings and hexdump which are too long to paste in this article but are good to perform during static analysis. Now I knew I had to dump the contents of the firmware image.

Extracting and Analyzing

I used binwalk to take an intial look at the file:

sneakerhax$ binwalk RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TRX firmware header, little endian, image size: 26750976 bytes, CRC32: 0x154FEC57, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x136078, rootfs offset: 0x0
28            0x1C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3482336 bytes
1269880       0x136078        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 25475764 bytes, 1420 inodes, blocksize: 65536 bytes, created: 2015-01-10 15:52:29

Now I was starting to get somewhere. I needed to extract the files still that where inside:

binwalk -Mre RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx
Output can be found here

This worked to extract the files and I had a ton of stuff to look at. I started analyzing the output. I thought it might be a good idea to search for “version” throughout the binwalk analysis and found some interesting findings. I was attempting to find the linux kernel version:

  • POSIX tar archive (GNU), owner user name: “ter”(Username found)
  • ELF, 32-bit LSB executable, MIPS, version 1 (SYSV)(References to MIPS)
  • Found references to used software(Squid, ftp, etc)

I also searched for kernel and found some other interesting findings:

  • Packages that were being used
  • ftp.kernel.org/pub/linux/utils/util-linux-ng/v2.15/util-linux-ng-2.15.tar.gz(kernel version?)

***Work in progress***

References

  • http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
  • https://en.wikibooks.org/wiki/Reverse_Engineering/File_Formats
  • https://wiki.openwrt.org/doc/techref/header
  • https://github.com/sneakerhax/Resources/blob/master/runbooks/reverse-engineering.md

Post navigation